Recorder

ABSTRACT

A memory card ( 110 ) decodes data delivered to a data bus (BS 3 ) and extracts a session key (Ks 1 ) sent from a server from the data. Based on the session key (Ks 1 ), an encrypting section ( 1406 ) encrypts a public encryption key (KPm ( 1 )) of the memory card ( 110 ) and delivers it to a server through the data bus (BS 3 ). The memory card ( 110 ) receives data including a license key (Kc) and a license (ID) encrypted with the public encryption key (KPm ( 1 )) different with memory card to memory card, decrypts the data, encrypted it again with uniquely given secret key (K( 1 )), and stores it in a memory ( 1415 ).

TECHNICAL FIELD

The present invention relates to a recording device such as a memorycard, which allows protection of copyright of copied information, in adistribution system for distributing information to terminals such ascellular phones.

BACKGROUND ART

Owing to progress in information communication networks such as Internetin recent years, users can easily access network information throughpersonal terminals employing cellular phones or the like.

In such information communication, information is transmitted as digitalsignals. Therefore, each user can copy music data and video data, whichare transmitted via the information communication network, withoutdegradation in the audio quality and picture quality.

Accordingly, the right of the copyright owner may be significantlyinfringed when copyrighted content data such as music information andimage data are transmitted over the information communication networkwithout appropriate measures for protecting the copyrights.

Conversely, top priority may be given to the copyright protection bydisabling or inhibiting distribution of content data over the digitalinformation communication network, which is growing exponentially.However, this causes disadvantages to the copyright owner who canessentially collect a predetermined copyright royalty for data copying.

Instead of the distribution over the digital information communicationnetwork described above, distribution may be performed via recordmediums storing digital data. In connection with the latter case, musicdata stored in CDs (Compact Disks) on the market can be freely copied inprinciple onto magneto-optical disks (e.g., MDs) as long as the copiedmusic is only for the personal use. However, a personal user performingdigital recording or the like indirectly pays predetermined amounts inprices of the digital recording device itself and the mediums such asMDs as guaranty moneys to a copyright owner.

Further, the music data is digital data formed of digital signals, andsubstantially no deterioration occurs in copied information when musicdata is copied from a CD to an MD. Therefore, for the copyrightprotection, such structures are employed that the music informationcannot be copied as digital data from the recordable MD to another MD.

In view of the above, it is necessary to inhibit unauthorized furtherduplication of the received content data, which was distributed to thepublic over the information communication network.

DISCLOSURE OF THE INVENTION

An object of the invention is to provide a recording device, andparticularly to provide a memory card for receiving information in aninformation distribution system, which distributes content data orinformation over an information communication network of cellular phonesor the like.

Another object of the invention is to provide a data distributionsystem, which can prevent duplication of content data withoutauthorization from a copyright owner, as well as a recording device andparticularly a memory card used in such data distribution system.

Still another object of the invention is to provide a recording device,and particularly to provide a memory card, which can improve security inan information distribution system and allows fast reproductionprocessing of content data.

For achieving the above objects, the invention provides a recordingdevice for receiving and recording a license key encrypted with a firstpublic encryption key predetermined with respect to the recording deviceand used for decrypting encrypted content data, including a first keyholding portion, a first decryption processing portion, a second keyholding portion, a first encryption processing portion, a recordingportion and a second decryption processing portion.

The first key holding portion holds a first private decryption key beingasymmetric to the first public encryption key and used for decryptingdata encrypted with the first public encryption key. The firstdecryption processing portion receives the license key encrypted withthe first public encryption key, and decrypts the received data with thefirst secret decryption key. The second key holding portion holds atleast one secret unique key being unique to the recording device andbeing symmetric in a symmetric key cryptosystem. The first encryptionprocessing portion receives the output of the first encryptionprocessing portion, and encrypts the license key with the sectret uniquekey. The first recording portion receives and stores the output of thefirst encryption processing portion. The second decryption processingportion decrypts the license key stored in the recording portion withthe encrypted secret unique key.

According to the distribution system using the recording device of theinvention, a license key or the like, which is distributed after beingencrypted in the public key cryptosystem with an asymmetric key, is heldin the memory card after being re-encrypted with the secret symmetrickey unique to the memory card in the symmetric key cryptosystem allowingfast decryption. In the reproduction processing of music datacorresponding to the encrypted content data, therefore, the decryptionprocessing can be performed fast on the license key, which isinformation required for the reproduction processing.

Further, a level of security can be improved by using the key for datasending, which is different from the key for storage in the memory card.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 conceptually shows a whole structure of a data distributionsystem according to the invention;

FIG. 2 represents characteristics of data, information and others usedfor communication in the data distribution system shown in FIG. 1;

FIG. 3 is a schematic block diagram showing a structure of a licenseserver 10;

FIG. 4 is a schematic block diagram showing a structure of a cellularphone 100;

FIG. 5 is a schematic block diagram showing a structure of a memory card110;

FIG. 6 conceptually shows allocation of storage regions in a licenseinformation holding portion 1440 shown in FIG. 5;

FIG. 7 is a first flowchart representing a distributing operation in thedata distribution system according to the first embodiment;

FIG. 8 is a second flowchart representing the distributing operation inthe data distribution system according to the first embodiment;

FIG. 9 is a flowchart representing a reproducing operation forreproducing music in cellular phone 100 according to the firstembodiment;

FIG. 10 is a first flowchart representing an operation of transferbetween two memory cards according to the first embodiment;

FIG. 11 is a second flowchart representing the operation of transferbetween two memory cards according to the first embodiment;

FIG. 12 is a third flowchart representing the operation of transferbetween two memory cards according to the first embodiment;

FIG. 13 is a block diagram showing a structure of a memory card 114 of asecond embodiment;

FIG. 14 conceptually shows allocation of storage regions in a licenseinformation holding portion 1440 and a K(1)x holding portion 1451 shownin FIG. 13;

FIG. 15 is a first flowchart representing a distributing operationperformed when purchasing contents in a data distribution systemaccording to the second embodiment;

FIG. 16 is a second flowchart representing the distributing operationperformed when purchasing contents in the data distribution systemaccording to the second embodiment;

FIG. 17 is a flowchart representing the reproducing operation using thememory card in the second embodiment;

FIG. 18 is a block diagram showing a structure of a memory card 116according to the third embodiment, and corresponds to FIG. 13 showingthe second embodiment;

FIG. 19 conceptually shows allocation of storage regions in licenseinformation holding portion 1440 and K(1)x holding portion 1451 shown inFIG. 18;

FIG. 20 is a first flowchart representing a distributing operationperformed when purchasing contents in a data distribution systemaccording to the third embodiment;

FIG. 21 is a second flowchart representing the distributing operationperformed when purchasing contents in the data distribution systemaccording to the third embodiment;

FIG. 22 represents characteristics of data, information and others usedfor communication in a data distribution system according to a fourthembodiment;

FIG. 23 is a schematic block diagram showing a structure of a licenseserver 11 in the data distribution system according to the fourthembodiment;

FIG. 24 is a schematic block diagram showing a structure of a cellularphone 103 used in the data distribution system according to the fourthembodiment;

FIG. 25 is a first flowchart representing a distributing operation inthe data distribution system according to the fourth embodiment;

FIG. 26 is a second flowchart representing the distributing operation inthe data distribution system according to the fourth embodiment; and

FIG. 27 is a flowchart representing the reproducing operation in thedata distribution system according to the fourth embodiment.

BEST MODE FOR CARRYING OUT THE INVENTION

Embodiments of the invention will now be described with reference to thedrawings.

[First Embodiment]

FIG. 1 conceptually shows a whole structure of a data distributionsystem according to the invention.

The following description will be given by way of example on a structureof a data distribution system, in which music data is distributed tousers over a cellular phone network. As will be apparent from thefollowing description, the invention is not restricted to such anexample, and may be applied to other cases, in which content data suchas image data is distributed over another information communicationnetwork.

Referring to FIG. 1, a license server 10 administrating copyrightedmusic information encrypts music data (which will be also referred to as“content data” hereinafter) in a predetermined encryption manner, andapplies the data thus encrypted to a cellular phone company, which is adistribution carrier 20 for distributing information. An authenticationserver 12 determines whether a cellular phone and a memory card of auser, who made access for requesting for distribution of the music data,are regular devices or not.

Distribution carrier 20 relays over its own cellular phone network thedistribution request received from each user to license server 10. Whenlicense server 10 receives the distribution request, authenticationserver 12 determines whether the cellular phone and memory card of theuser are regular devices or not. After it is confirmed that these areregular devices, license server 10 encrypts the requested content data,and distributes it to the user's cellular phone over the cellular phonenetwork of distribution carrier 20.

In FIG. 1, a cellular phone 100 of a user 1 includes, e.g., a memorycard 110, which is releasably attached thereto. Memory card 110 receivesencrypted content data received by cellular phone 100, decrypts the dataencrypted for the transmission, and applies the data to a musicreproducing unit (not shown) in cellular phone 100.

Further, user 1 can listen to music, which is produced by reproducingsuch content data, via headphones 130 or the like connected to cellularphone 100.

In the following description, license server 10, authentication server12 and distribution carrier (cellular phone company) 20 described abovewill be collectively referred to as a“distribution server 30”hereinafter.

Also, the processing of transmitting the content data from distributionserver 30 to each cellular phone or the like will be referred toas“distribution” hereinafter.

Owing to the above structure, a user other than a regular user, whopurchased a regular cellular phone and a regular memory card, cannotreceive and reproduce the data distributed from distribution server 30without difficulty.

Further, the system may be configured as follows. By counting the timesof distribution of content data, e.g., for one song in distributioncarrier 20, the royalty, which is charged every time the user receivesthe distributed content data, can be collected by distribution carrier20 together with charges for telephone calls so that the copyright ownercan easily ensure the royalty.

The foregoing distribution of the content data is performed over aclosed system, i.e., the cellular phone network so that it is easy totake measures for the copyright protection, compared with open systemssuch as the Internet.

For example, a user 2 having a memory card 112 can receive content datadirectly from distribution server 30 by user's own cellular phone 102.However, such data reception may take a relatively long time if user 2receives the content data or the like having a large information amountdirectly from distribution server 30. In connection with this, thesystem may be configured such that user 2 can copy the content data ofuser 1, who has already received it. This improves the convenience ofusers.

From the viewpoint of protecting right of the copyright owner, it is notallowed to provide a system configuration allowing free copying ofcontent data.

In an example shown in FIG. 1, an operation, in which the content dataitself received by user 1 is copied, and reproduction informationrequired for reproducing the content data of user 1 is moved ortransferred to user 2, is referred to as“transfer” of the music data. Inthis case, the encrypted content data and the reproduction informationrequired for the reproduction are transferred between memory cards 110and 112 via cellular phones 100 and 102. As will be described later, theabove “reproduction information” has a license key, which allowsdecryption or decoding of the content data encrypted in accordance withthe predetermined encryption scheme, as well as license information suchas a license ID and information relating to restrictions on access andreproduction.

In contrast to the“transfer”, an operation of copying content dataitself is referred to as“duplication”. In the duplication, reproductioninformation required is not duplicated so that user 2 content datacannot reproduce the content data. Although not described in detail,user 2 can reproduce the content data by performing additionaldistribution of only the reproduction information including the licensekey.

Owing to the above structures, a user who received the content data fromdistribution server 30 can flexibly utilize the data.

If cellular phones 100 and 102 are PHSs (Personal Handy Phones), atelephone conversation can be performed in a so-called transceiver mode.By using this function, information can be transferred between users 1and 2.

In the structure shown in FIG. 1, the system requires the followingschemes and structure for reproducing the content data, which isdistributed in the encrypted form, on the user side. First, the systemrequires a scheme for distributing an encryption key in thecommunication. Second, the system requires a scheme for encrypting thedata itself to be distributed. Third, the system requires a structurefor protecting data by preventing unauthorized copying of thedistributed data.

In the embodiment of the invention, when each of sessions ofdistribution and reproduction occurs, the destination or receiver of thecontent data is verified and checked sufficiently. Therefore, it ispossible to prevent the distribution or transfer of the data to therecording device and content reproducing device (e.g., cellular phone),which are not authenticated, and thereby the copyright of thedistributed data can be protected more reliably. The embodiment will nowbe described particularly in connection with the structure for enhancingsuch verifying and checking functions.

[Structures of Data and Keys in System]

FIG. 2 collectively represents characteristics of keys relating toencryption for communication in the data distribution system shown inFIG. 1 as well as data and others to be distributed.

First, “Data” represent content data such as music data distributed fromthe distribution server. As will be described later, content data Datadistributed from distribution server 30 takes a form of encryptedcontent data {Data}Kc, which is encrypted to allow decryption at leastwith a license key Kc.

In the following description, expression“{Y}X” represents that the dataindicated by this expression was prepared by converting data Y into anencrypted form decodable with a decryption key X.

Together with the content data, distribution server 30 distributesadditional information data Data-inf in plain text, which relates to acopyright of the content data, server access and others. Morespecifically, additional information data Data-inf includes informationfor specifying a song title, an artist name and others of the contentdata, and also includes information for specifying distribution server30 and other information.

The following keys are used for encryption, decryption and reproductionof the content data as well as for authentication of the contentreproducing circuit (i.e., cellular phone) and the recording device(i.e., memory card).

As already described, license key Kc is used for decrypting andencrypting the content data. Also, public encryption key KPp(n) uniqueto the content reproducing circuit (cellular phone 100) and publicencryption key KPmc(n) unique to the memory card are used.

The data encrypted with public encryption keys KPp(n) and KPmc(n) can bedecrypted with private decryption key Kp(n) unique to the contentreproducing circuit and private decryption key Kmc(n) unique to thememory card individually. These unique public decryption key and privatedecryption key for each cellular phone or each memory card have contentsdifferent from those of the other kinds of cellular phones or the otherkinds of memory cards. These kinds of the cellular phones and memorycards depend on respective units, which are determined based on kinds ofmanufacturers of them, manufacturing dates or periods (manufacturinglots) and others. These units will be referred to as “classes”hereinafter. The natural number“n” is added for identifying the class ofeach memory card and each content reproducing circuit (cellular phone).

As a secret common key common to all the content reproducing circuit,the system employs a secret common key Kcom, which is primarily utilizedfor obtaining license key Kc and restriction information for the contentreproducing circuit to be described later, as well as an authenticationkey KPma operated commonly in whole the distribution system. Secret keyKcom is a decryption key in the symmetric key cryptosystem, andtherefore is held as the encryption key in the distribution server.

Encryption keys KPmc(n) and KPp(n), which are determined depending onthe memory card and the content reproducing circuit as described above,are recorded in the memory card and the cellular phone before shipment,respectively. Keys KPmc(n) and KPp(n) thus recorded take the forms ofauthentication data {KPmc(n)}KPma and {KPp(n)}KPma, which are signeddata allowing authentication or verification by decryption withauthentication key KPma.

Secret common key Kcom common to the content reproducing device is notrestricted to the symmetric key in the symmetric key cryptosystem, andmay be private decryption key in the public key cryptosystem. In thelatter case, the distribution server holds public encryption key KPcom,which is paired with and is asymmetric to this private decryption keyKcom, as an encryption key.

Further, the system uses information for controlling operations of thedevices forming the system, i.e., devices such as cellular phone 100(i.e., content reproducing circuit) and memory card 110, and the aboveinformation includes purchase conditions information AC, which is sentfrom cellular phone 100 to distribution server 30 for designatingpurchase conditions when the user purchases the license key or the like,access restriction information AC1, which is distributed fromdistribution server 30 to memory card 110 in accordance with purchasecondition information AC for representing conditions for access tolicense key Kc recorded in memory card 110, and reproducing circuitrestriction information AC2, which is distributed from distributionserver 30 to cellular phone 100 for representing restrictions on thereproduction conditions of the content reproducing circuit. The accessconditions define, for example, allowed times of access to license keyKc for reproduction (i.e., allowed times of reproduction) as well asspecific conditions such as inhibition of duplication and/or transfer oflicense key Kc. For example, the reproduction conditions of the contentreproducing circuit relate to conditions, which are used when a sampleof a new song is distributed at a low price or no charge for salespromotion, and allow reproduction from the start of the content dataonly for a limited time or reproduction only for a limited period.

As keys for administering the data in memory card 110, the systememploys private encryption key KPm(i) (i: natural number) determineduniquely to each recording device, i.e., memory card, private decryptionkey Km(i), which is unique to each memory card and allows decryption ofthe data encrypted with private encryption key KPm(i), and secretsymmetric key K(i) unique to the memory card. The natural number “i” isadded for identifying each memory card from the others.

Further, the data distribution system shown in FIG. 1 uses the followingkeys and others in the data communication.

As the encryption keys for keeping secrecy in the data transmission fromand into the memory card, the system uses symmetric keys Ks1–Ks4, whichare produced by cellular phone 100 or 102, and memory card 110 or 112upon every distribution, reproduction and transfer of the content data.

Symmetric keys Ks1–Ks4 are unique symmetric keys, and are generated inresponse to every“session”, which is a unit of communication or accessbetween or to the distribution server, cellular phone and/or memorycard. These symmetric keys Ks1–Ks4 will be referred to as “session keys”hereinafter.

More specifically, the license server in the distribution servergenerates session key Ks1 in response to every distribution session. Thememory card generates session key Ks2 in response to every distributionsession and every transfer session (receiving side). The memory cardlikewise generates session key Ks3 in response to every reproductionsession and every transfer session (sending side). The cellular phonegenerates session key Ks 4 in response to every reproduction session. Ineach session, these session keys are exchanged, and the session keyproduced by the device on the receiving side is received, and is usedfor encrypting the license key therewith, and then the license key andothers thus encrypted are sent so that the security level in thesessions can be improved.

Further, the data transmitted between the distribution server and thecellular phone includes a content ID, by which the system identifies thecontent data, a license ID which is an administration code forspecifying the time and the receiver of the issued license, and atransaction ID which is a code produced in response to everydistribution session for specifying each distribution session. Thelicense ID may also serve as the transaction ID.

The license ID, content ID and access restriction information AC1 arecollectively referred to as“license information”, and this licenseinformation, license key Kc and reproducing circuit restrictioninformation AC2 are collectively referred to as“reproductioninformation”.

[Structure of License Server 10]

FIG. 3 is a schematic block diagram showing a structure of licenseserver 10 shown in FIG. 1.

License server 10 includes an information database 304 which holds datafor distributing the content data prepared by encrypting the music data(content data) in accordance with a predetermined scheme as well as thereproduction information, an accounting database 302 for holdingaccounting data according to start of access to the music data for eachuser, a data processing portion 310, which receives data frominformation database 304 and accounting database 302 via a data bus BS1,and performs predetermined processing, and a communication device 350for performing data transmission between distribution carrier 20 anddata processing portion 310 over a communication network.

Data processing portion 310 includes a distribution control portion 315for controlling an operation of data processing portion 310 inaccordance with data on data bus BS1, a session key generating portion316 for generating session key Ks1 during the distribution session undercontrol of distribution control portion 315, a decryption processingportion 312 for receiving authentication data {KPmc(n)}KPma and{KPp(n)}KPma, which are sent from the memory card and the cellular phonefor authentication, respectively, via communication device 350 and adata bus BS2, and decrypting it with authentication key KPma, anencryption processing portion 318, which encrypts session key Ks1produced by session key generating portion 316 with public encryptionkey KPmc(n) obtained by decryption processing portion 312, and outputsthe encrypted key onto data bus BS1, and a decryption processing portion320 for receiving the data, which is encrypted with session key Ks1 oneach user side and is sent therefrom, via data bus BS1 and decryptingthe same.

Data processing portion 310 further includes a Kcom holding portion 322for holding secret common key Kcom common to all the content reproducingcircuit as an encryption key, an encryption processing portion 324 forencrypting license key Kc and reproducing circuit restrictioninformation AC2 applied from distribution control portion 315 withencryption key KPcom symmetric to the reproducing circuit, an encryptionprocessing portion 326 for encrypting the data sent from encryptionprocessing portion 324 with public encryption key KPm(i), which isobtained by decryption processing portion 320 and is unique to thememory card, and an encryption processing portion 328 for furtherencrypting the output of encryption processing portion 326 with sessionkey Ks2 applied from decryption processing portion 320, and outputtingthe same onto data bus BS1.

In the structure described above, license server 10 utilizes secretcommon key Kcom in common with the cellular phone side in the symmetrickey cryptosystem as the encryption key. According to the public keycryptosystem, however, Kcom holding portion 322 holds not secret commonkey Kcom but public encryption key KPcom, which is asymmetric to secretcommon key Kcom and can encrypt into a form decodable with secret commonkey Kcom on the cellular phone side.

[Structure of Cellular Phone 100]

FIG. 4 is a schematic block diagram showing a structure of cellularphone 100 shown in FIG. 1.

In cellular phone 100, natural number n representing the class is equalto one.

Cellular phone 100 has an antenna 1102 for receiving radio signals sentover the cellular phone network, a send/receive portion 1104 forconverting the signals received from antenna 1102 into baseband signals,and for modulating data sent from cellular phone 100 and sending it toantenna 1102, data bus BS2 for data transmission between variousportions in cellular phone 100, and a controller 1106 for controllingoperations of cellular phone 100 via data bus BS2.

Cellular phone 100 further includes a touch key unit 1108 for externallyapplying instructions to cellular phone 100, a display 1110 for givinginformation sent from controller 1106 or the like to the user as visibleinformation, a voice reproducing portion 1112 for operating in anordinary conversation operation to reproduce a voice from the receiveddata sent via data bus BS2, a connector 1120 for external datatransmission, and an external interface portion 1122, which can convertthe data sent from connector 1120 into signals to be applied onto databus BS2, and can convert the data applied from data bus BS2 into signalsto be applied to connector 1120.

Cellular phone 100 further includes removable memory card 110 forstoring and decrypting content data (music data) sent from distributionserver 30, a memory interface 1200 for controlling transmission of databetween memory card 110 and data bus BS2, and an authentication dataholding portion 1500 for holding authentication data {KPp(1)}KPma, whichallows authentication of public encryption key KPp(1) set uniquely toeach class of the cellular phone by decryption with authentication keyKPma.

Cellular phone 100 further includes a Kp holding portion 1502 forholding private decryption key Kp(n) (n=1) unique to the cellular phone(content reproducing circuit), a decryption processing portion 1504 fordecrypting the data received from data bus BS2 with private decryptionkey Kp(1) to obtain session key Ks3 generated by the memory card, asession key generating portion 1508 for generating session key Ks4,e.g., based on a random number for encrypting the data to be transmittedvia data bus BS2 between cellular phone 100 and memory card 110 in thereproduction session for reproducing the content data stored in memorycard 110, an encryption processing portion 1506 for encrypting sessionkey Ks4 thus produced with session key Ks3 obtained by decryptionprocessing portion 1504, and outputting the encrypted key onto data busBS2, and a decryption processing portion 1510 for decrypting the data ondata bus BS2 with session key Ks4 to output data {Kc//AC2}Kcom.

Cellular phone 100 further includes a Kcom holding portion 1512 forholding secret common key Kcom, that common to all the contentreproducing circuit, a decryption processing portion 1514 for decryptingdata {Kc//AC2}Kcom output from decryption processing portion 1510 withsecret common key Kcom, and outputting license key Kc and reproductioncircuit restriction information AC2, a decryption processing portion1516 for receiving encrypted content data {Data}Kc from data bus BS2,and decrypting it with license key Kc obtained from decryptionprocessing portion 1514 to output the content data, a music reproducingportion 1518 for receiving the output of decryption processing portion1516 and reproducing the content data, a selector portion 1525 forreceiving the outputs of music reproducing portion 1518 and voicereproducing portion 1112, and selectively outputting them depending onthe operation mode, and a connection terminal 1530 for receiving theoutput of selector portion 1525 and allowing connection of head phones130.

Reproduction circuit restriction information AC2 output from decryptionprocessing portion 1514 is applied to controller 1106 via data bus BS2.

FIG. 4 shows only some of blocks forming the cellular phone for the sakeof simplicity, and particularly shows only blocks relating to thedistribution and reproduction of music data according to the invention.Some of blocks related to an original conversation function of thecellular phone are not shown.

[Structure of Memory Card 110]

FIG. 5 is a schematic block diagram showing a structure of memory card110 shown in FIG. 4.

As already described, public encryption key KPm(i) and correspondingprivate decryption key Km(i) have values unique to each memory card. Inthe following description, it is assumed that natural number i is equalto one (i=1) in memory card 110. Further, keys KPmc(n) and Kmc(n) areemployed as public encryption key and private decryption key unique tothe class of the memory card, respectively. It is also assumed thatnatural number n is equal to one (n=1) in memory card 110.

Memory card 110 includes an authentication data holding portion 1400 forholding {KPmc(1)}KPma as the authentication data, a Kmc holding portion1402 for holding private decryption key Kmc(1) unique to each class ofthe memory card, a KPm(1) holding portion 1416 for holding publicencryption key KPm(1) unique to each memory card, a Km(1) holdingportion 1421 for holding private decryption key Km(1) allowingdecryption of the data encrypted with public encryption key KPm(1), anda K(1) holding portion 1450 for holding secret symmetric key K(1) uniqueto the memory card. Authentication data holding portion 1400 holdsauthentication data {KPmc(1)}KPma, which can be decrypted withauthentication key KPma to allow authentication of public encryption keyKPmc(1) set uniquely to the class of memory card.

Memory card 110 further includes a data bus BS3 for transmitting signalsto and from memory interface 1200 via a terminal 1202, a decryptionprocessing portion 1404 for receiving the data, which is applied ontodata bus BS3 from memory interface 1200, and private decryption keyKmc(1) unique to the class of memory card sent from Kmc(1) holdingportion 1402, and outputting session key Ks1, which is produced bydistribution server 30 in the distribution session, or session key Ks3,which is produced by another memory card in the transfer session, tocontact Pa, a decryption processing portion 1408 for receivingauthentication key KPma from a KPma holding portion 1414, and performingdecryption on the data applied from data bus BS3 with authentication keyKPma to apply results of the decryption to a controller 1420 anddecryption processing portion 1410 via data bus BS4, and an encryptionprocessing portion 1406 for encrypting data, which is selectivelyapplied by a select switch 1444, with the key selectively applied by aselect switch 1442, and outputting the encrypted data onto data bus BS3.

Memory card 110 further includes a session key generating portion 1418for generating session key Ks2 or Ks3 in each of distribution,reproduction and transfer sessions, an encryption processing portion1410 for encrypting session key Ks3 generated from session keygenerating portion 1418 with public encryption key KPp(n) or KPmc(n)obtained by decryption processing portion 1408, and outputting the keythus encrypted onto data bus BS3, and a decryption processing portion1412 for receiving the data encrypted with session key Ks2 or Ks3 fromdata bus BS3, and decrypting it with session key Ks2 or Ks3 obtainedfrom session key generating portion 1418 to send results of thedecryption onto data bus BS4.

Memory card 110 further includes an encryption processing portion 1424for encrypting the data on data bus BS4 with public encryption keyKPm(i) (i≠1) unique to another memory card in the transfer session, adecryption processing portion 1422 for decrypting the data on data busBS4 with private decryption key Km(1), which is unique to memory card110 and is paired with public encryption key KPm(1), an encryptionprocessing portion 1452 for encrypting the data on data bus BS4 withprivate key K(1), a decryption processing portion 1454 for decryptingthe data on data bus BS4 with private key K(1), and a memory 1415 forreceiving and storing license key Kc and the reproduction information(content ID, license ID, access restriction information AC1 andreproducing circuit restriction information AC2), which are encryptedwith public encryption key KPm(1) and are sent from data bus BS4, andfor receiving and storing encrypted content data {Data}Kc and additionalinformation Data-inf sent from data bus BS3. Memory 1415 is formed of,e.g., a semiconductor memory such as a flash memory, although notrestricted thereto.

Memory card 110 further includes a license information holding portion1440 for holding the license ID, content ID and access restrictioninformation AC1 obtained by decryption processing portion 1422, and acontroller 1420 for externally transmitting data via data bus BS3,receiving the reproduction information and others from data bus BS4 andcontrolling the operation of memory card 110.

A region surrounded by solid line in FIG. 5 is arranged within a moduleTRM, which is configured to erase internal data or destroy internalcircuits for disabling reading of data and others in the circuits withinthis region by a third party when an illegal or improper access to theinside of memory card 110 is externally attempted. This module isgenerally referred to as a“tamper resistance module”.

Naturally, memory 1415 may be located within module TRM. According tothe structure shown in FIG. 5, however, the data held in memory 1415 isentirely encrypted so that a third party cannot reproduce the music onlyfrom the data in memory 1415, and further, it is not necessary tolocated memory 1415 within the expensive tamper resistance module.Therefore, the structure in FIG. 5 can reduce a manufacturing cost.

FIG. 6 shows allocation of storage regions in license informationholding portion 1440 shown in FIG. 5.

License information holding portion 1440 can transmit the license ID,content ID and access restriction information AC1 to and from data busBS4. License information holding portion 1440 has banks of N (N: naturalnumber) in number, and reproduction information pieces corresponding todifferent licenses are held in the different banks, respectively.

[Distributing Operation]

Operations in the respective sessions of the data distribution systemaccording to the embodiment of the invention will now be described ingreater detail with reference to flowcharts.

FIGS. 7 and 8 are first and second flowcharts representing adistributing operation, which will also be referred to as a“distributionsession” hereinafter), and is performed when purchasing the contents inthe data distribution system according to the first embodiment.

FIGS. 7 and 8 represent an operation performed when user 1 using memorycard 110 receives the content data distributed from distribution server30 via cellular phone 100.

First, user 1 requests the distribution cellular phone 100 of user 1,e.g., by operating keys or buttons on touch key unit 1108 (step S100).

In memory card 110, authentication data holding portion 1400 outputsauthentication data {KPmc(1)}KPma in response to this request (stepS102).

Cellular phone 100 sends authentication data {KPmc(1)}KPma accepted frommemory card 110 as well as authentication data {KPp(1)}KPma of cellularphone 100 itself, the content ID for designating the content data to bedistributed and data AC of the license purchase conditions todistribution server 30 (step S104).

Distribution server 30 receives the content ID, authentication data{KPmc(1)}KPma and {KPp(1)}KPma, and license purchase condition data AC(step S106), and performs the decryption with authentication key KPma bydecryption processing portion 312. If public encryption keys KPmc(1) andKPp(1) encrypted with authentication key KPma are registered regularly,and are encrypted regularly, public encryption key KPmc(1) of memorycard 110 and public encryption key KPp(1) of cellular phone 100 areaccepted. If these are not registered regularly, such unregisteredpublic encryption keys KPmc(1) and KPp(1) are not accepted (step S108).

Distribution control portion 315 makes an inquiry to authenticationserver 12 based on accepted public encryption keys KPmc(1) and KPp(1)(step S110). If these public encryption keys were accepted in step S108,and were regularly registered, these keys are determined as valid keys,and the processing moves to a next step (step S112). If the publicencryption keys were not accepted, or if the public encryption keys wereaccepted but were not registered, these keys are determined as invalidkeys, and the processing ends (step S170).

For authenticating public encryption key KPp(1) or KPmc(1) in thedecryption processing performed with authentication key KPma, such astructure may be employed that distribution control portion 315 inlicense server 10 performs the authentication in its own manner inaccordance with results obtained by decrypting a signature, which isadded to public encryption key KPp(1) or KPmc(1), with authenticationkey KPma.

When it is determined from the inquiry that the keys are valid,distribution control portion 315 produces the transaction ID forspecifying the distribution session (step S112).

Then, session key generating portion 316 produces session key Ks1 fordistribution. Session key Ks1 is encrypted by encryption processingportion 318 with public encryption key KPmc(1) corresponding to memorycard 110 and obtained by decryption processing portion 312 (step S114).

The transaction ID and encrypted session key {Ks1}Kmc(1) are externallyoutput via data bus BS1 and communication device 350 (step S116).

When cellular phone 100 receives the transaction ID and encryptedsession key {Ks 1}Kmc(1) (step S118), memory card 110 operates todecrypt the received data applied onto data bus BS3 by decryptionprocessing portion 1404 with private decryption key Kmc(1), which isheld in holding portion 1402 and is unique to memory card 110, andthereby to extract decrypted session key Ks1 (step S120).

When controller 1420 confirms the acceptance of session key Ks1 producedby distribution server 30, it instructs session key generating portion1418 to produce session key Ks2, which is to be produced during thedistribution session in memory card 110.

Encryption processing portion 1406 encrypts session key Ks2 and publicencryption key KPm(1), which are applied via a contact Pc of selectswitch 144 by switching a contact of a select switch 1446, with sessionkey Ks1 applied via contact Pa of select switch 1442 from decryptionprocessing portion 1404, and outputs data {Ks2//KPm(1)}Ks1 onto data busBS3 (step S122).

Data {Ks2//KPm(1)}Ks1 output onto data bus BS3 is sent from data bus BS3to cellular phone 100 via terminal 1202 and memory interface 1200 (stepS122), and is sent from cellular phone 100 to distribution server 30(step S124).

Distribution server 30 receives encrypted data {Ks2//KPm(1)}Ks1, anddecrypts it with session key Ks1 by decryption processing portion 320 toaccept session key Ks2 produced in memory card 110 and public encryptionkey KPm(1) unique to memory card 110 (step S126).

Further, distribution control portion 315 produces the license ID,access restriction information AC1 and reproducing circuit restrictioninformation AC2 in accordance with the content ID and license purchasecondition data AC obtained in step S106 (step S130). Further, licensekey Kc for decrypting the encrypted content data is obtained frominformation database 304 (step S132).

Referring to FIG. 8, distribution control portion 315 applies licensekey Kc and reproducing circuit restriction information AC2 thus obtainedto encryption processing portion 324. Encryption processing portion 324uses secret common key Kcom, which is obtained from Kcom holding portion322 and is symmetric to the reproduction circuit, as an encryption key,and encrypts license key Kc and reproducing circuit restrictioninformation AC2 (step S134).

Encrypted data {Kc//AC2}Kcom output from encryption processing portion324 as well as the license ID, content ID and access restrictioninformation AC1 output from distribution control portion 315 areencrypted by encryption processing portion 326 with public encryptionkey KPm(1), which is obtained by decryption processing portion 320 andis unique to memory card 110 (step S136).

Encryption processing portion 328 receives the output of encryptionprocessing portion 326, and encrypts it with session key Ks2 produced inmemory card 110. Encrypted data {{{Kc//AC2}Kcom//license ID//contentID//AC1}Km(1)}Ks2 output from encryption processing portion 328 is sentto cellular phone 100 via data bus BS1 and communication device 350(step S138).

As described above, distribution server 30 and memory card 110 exchangethe session keys produced thereby, and each execute the encryption withthe received encryption key for sending the encrypted data to the otherparty. Thereby, mutual authentication can also be actually orpractically performed when sending and receiving the encrypted data, andthereby the security level in the data distribution system can beimproved.

Cellular phone 100 receives encrypted data [[[Kc//AC2]Kcom//licenseID//content ID//AC1]Km(1)]Ks2 sent thereto (step S140), and memory card110 operates to decrypt the received data applied via memory interface1200 onto data bus BS3 by decryption processing portion 1412. Thus,decryption processing portion 1412 decrypts the data received from databus BS3 with session key Ks2 applied from session key generating portion1418, and outputs the decrypted key onto data bus BS4 (step S144).

In this stage, data bus BS4 is supplied with data{{Kc//AC2}Kcom//license ID//content ID//AC1}Km(1), which can bedecrypted with private decryption key Km(1) held in Km(1) holdingportion 1421. In accordance with the instruction of controller 1420,decryption processing portion 1422 decrypts data {{Kc//AC2}Kcom//licenseID//content ID//AC1}Km(1) with private decryption key Km(1) so that data{Kc//AC2}Kcom, license ID, content ID and access restriction informationAC1 are accepted (step S146).

Data {Kc//AC2}Kcom, license ID, content ID and access restrictioninformation AC1 thus accepted are encrypted again by encryptionprocessing portion 1452 with secret symmetric key K(1) unique to memorycard 110, and {{Kc//AC2}Kcom//license ID//content ID//AC1}K(1) isrecorded in memory 1415 outside the TRM region (step S148).

The license information (license ID, content ID and access restrictioninformation AC1), which is a part of reproduction information, isrecorded in an empty bank j located in a jth position within licenseinformation holding portion 1440. Natural number j corresponds to thecontent data, and satisfies a relationship of (1≦j≦N) (N: total numberof banks).

When the processing in and before step S150 is normally completed,cellular phone 100 sends a distribution request for the content data todistribution server 30 (step S152).

When distribution server 30 receives the distribution request for thecontent data, it obtains encrypted content data {Data}Kc and additionaldata Data-inf from information database 304, and outputs the data thusobtained via data bus BS1 and communication device 350 (step S154).

Cellular phone 100 receives {Data}Kc//Data-inf, and accepts encryptedcontent data {Data}Kc and additional information Data-inf (step S156).Encrypted content data {Data}Kc and additional information Data-inf aretransmitted onto data bus BS3 of memory card 110 via memory interface1200 and terminal 1202. In memory card 110, encrypted content data{Data}Kc and additional information Data-inf thus received are recordedin memory 1415 as they are (step S158).

Cellular phone 100 sends a notification of distribution acceptance todistribution server 30 (step S160). When distribution server 30 receivesthe distribution acceptance (step S162), storage of accounting data inaccounting database 302 and other processing for ending the distributionare executed (step S164) so that the whole processing ends (step S170).

In the distribution processing, data {Kc//AC2}Kcom, license ID, contentID and access restriction information AC1 are obtained by decryptionwith private decryption key Km(1) in step S146, and then are encryptedwith private key K(1) again for storing them in memory 1415. This is forthe following reasons.

In a public key scheme using asymmetric keys, and particularly whenusing a combination of public encryption key KPm(1) and privatedecryption key Km(1), decryption processing may take a long time.

Therefore, the data is encrypted again with secret symmetric key K(1),which is used in a symmetric key cryptosystem, is unique to the memorycard and is in the symmetric key cryptosystem allowing fast decryption.This allows fast decryption processing of license key Kc and reproducingcircuit restriction information AC2, which are information required forthe reproduction processing, in the reproduction processing of thecontent data corresponding to the encrypted content data.

Further, the key for the data sending is different from the key for thedata storage in the memory card so that the security level is improved.

The public key cryptosystem described above may be specifically a RAScryptosystem (Rivest-Shamir-Adleman cryptosystem), elliptic curvecryptosystem or the like, and the symmetric key cryptosystem may bespecifically a DES (Data Encryption Standard) cryptosystem or the like.

Description has been given on the structure, in which the reproductioninformation obtained by decrypting the data encrypted based onasymmetric key KPm(1)/Km(1) in the public key cryptosystem is entirelyencrypted again with secret symmetric key K(1), which is a symmetric keyin the symmetric key cryptosystem. However, another structure may beemployed. For example, such a structure may be employed that datalicense ID, content ID and access restriction information AC1, which areheld in license information holding portion 1440 provided within the TRMregion of memory card 110, are neither re-encrypted nor stored in memory1415, and data {Kc//AC2}Kcom are recorded in memory 1415 after beingreencrypted with secret symmetric key K(1).

Further, the content data can be distributed only after confirming thevalidities of public encryption keys Kp(1) and Kmc(1), which are sentfrom the content recording portion of cellular phone 100 and memory card110 in response to the distribution request, respectively. Therefore,distribution to unauthorized devices can be inhibited, which improvesthe security level in the distribution.

[Reproducing Operation]

Description will now be given on the reproducing operation (which willbe referred to as the“reproduction session” hereinafter), in which musicis reproduced from the encrypted content data held in memory card 110,and is externally output.

FIG. 9 is a flowchart representing various operations in thereproduction session.

Referring to FIG. 9, user 1 applies an instruction to produce thereproduction request via touch key unit 1108 or the like of cellularphone 100 (step S200).

In response to the production of reproduction request, cellular phone100 operates to output authentication data {KPp(1)}KPma, which can bedecrypted with authentication key KPma, from authentication data holdingportion 1500 onto data bus BS2 (step S202).

Authentication data {KPp(1)}KPma for the authentication is transmittedto memory card 110 via data bus BS2 and memory interface 1200.

In memory card 110, decryption processing portion 1408 takes inauthentication data {KPp(1)}KPma, which is transmitted forauthentication onto data bus BS3 via terminal 1202. Decryptionprocessing portion 1408 receives authentication key KPma from a KPmaholding portion 1414, and decrypts the data sent from data bus BS3. Ifpublic encryption key KPp(1) encrypted with authentication key KPma isregularly registered and is regularly encrypted, and thus if decryptioncan be performed with authentication key KPma, and the belonging datagenerated by the decryption can be authenticated, the decrypted publicencryption key KPp(1) is accepted. If not, or if the belonging datagenerated by the decryption cannot be authenticated, the obtained datais not accepted (step S204).

When decryption processing portion 1408 accepts the public encryptionkey KPp(1), which is unique to the content reproducing circuit incellular phone 100, controller 1420 determines that the publicencryption key KPp(1) sent thereto is the public encryption key assignedto the content reproducing circuit authenticated in this datadistribution system, and the processing moves to a next step S210 (stepS206). If not accepted, it is determined that invalid access is made byan unauthorized device, and the processing ends (step S240).

When public encryption key KPp(1) is accepted, controller 1420 instructssession key generating portion 1418 via data bus BS4 to produce sessionkey Ks3 in the reproduction session. Session key Ks3 produced by sessionkey generating portion 1418 is sent to encryption processing portion1410. Encryption processing portion 1410 encrypts session key Ks3 withpublic encryption key KPp(1) of cellular phone 100 obtained bydecryption processing portion 1408, and outputs encrypted data{Ks3}Kp(1) onto data bus BS3 (step S210).

Cellular phone 100 receives encrypted data {Ks3}Kp(1) applied onto databus BS via terminal 102 and interface 1200. Encrypted data {Ks3}Kp(1) isdecrypted by decryption processing portion 1504, and session key Ks3produced by memory card 110 is accepted (step S212).

In response to the acceptance of session key Ks3, controller 1106instructs session key generating portion 1508 via data bus BS2 togenerate session key Ks4 produced by cellular phone 100 in thereproduction session. Session key Ks4 thus produced is sent toencryption processing portion 1506, and is encrypted with session keyKs3 obtained by decryption processing portion 1504 to produce encryptedkey {Ks4}Ks3, which is output onto data bus BS2 (step S214).

Encrypted session key {Ks4}Ks3 is transmitted to memory card 110 viamemory interface 1200. In memory card 110, decryption processing portion1412 decrypts encrypted session key {Ks4}Ks3 transmitted onto data busBS3, and session key Ks4 produced in cellular phone 100 is accepted(step S216).

In response to acceptance of session key Ks4, controller 1420 determinesaccess restriction information AC1 in license holding portion 1440bearing the corresponding content ID (step S218).

In step S218, access restriction information AC1 relating torestrictions on the memory access is determined. If the reproduction isalready impossible, the reproduction session ends (step S240). If thereproduction is possible but the allowed times of reproduction arerestricted, the operation moves to a next step S222 after updating thedata of access restriction information AC1 to update the allowed timesof reproduction (step S220). If access restriction information AC1 doesnot restrict the reproduction times, step S220 is skipped, and theprocessing moves to next step S222 without updating access restrictioninformation AC1.

When the content ID corresponding to the requested song is not presentin license information holding portion 1440, it is likewise determinedthat the reproduction is impossible, and the reproduction session ends(step S240). When it is determined in step S218 that the reproduction isallowed in the current reproduction session, decryption processing isperformed for obtaining license key Kc of the reproduction-requestedsong recorded in the memory as well as reproducing circuit restrictioninformation AC2. More specifically, decryption processing portion 1454operates in response to the instruction of controller 1420 to decryptencrypted data {{Kc//AC2}Kcom//license ID//content ID//AC1}K(1), whichis read from memory 1415 onto data bus BS4, with secret symmetric keyK(1) unique to memory card 110. Thereby, encrypted data {Kc//AC2}Kcomdecodable with secret common key Kcom is obtained (step S222).

Encrypted data {Kc//AC2}Kcom thus obtained is sent to encryptionprocessing portion 1406 via a contact Pd of select switch 1444.Encryption processing portion 1406 further encrypts encrypted data{Kc//AC2}Kcom received from data bus BS4 with session key Ks4, which isreceived from decryption processing portion 1412 via contact Pb ofselect switch 1442, and outputs {{Kc//AC2}Kcom}Ks4 onto data bus BS3(step S224).

The encrypted data output onto data bus BS3 is sent to cellular phone100 via memory interface 1200.

In cellular phone 100, decryption processing portion 1510 decryptsencrypted data {{Kc//AC2}Kcom}Ks4 transmitted onto data bus BS2 viamemory interface 1200, and accepts data {Kc//AC2}Kcom, i.e., encryptedlicense key Kc and reproduction circuit restriction information AC2(step S226). Decryption processing portion 1514 decrypts encrypted data{Kc//AC2}Kcom with secret common key Kcom, which is received from Kcomholding portion 1512 and is common to all the content reproducingcircuit, and accepts license key Kc and reproducing circuit restrictioninformation AC2 (step S228). Decryption processing portion 1514transmits license key Kc to decryption processing portion 1516, andoutputs reproducing circuit restriction information AC2 onto data busBS2.

Controller 1106 accepts reproducing circuit restriction information AC2via data bus BS2, and determines the reproducibility (step S230).

When it is determined from reproducing circuit restriction informationAC2 in step S230 that the reproduction is impossible, the reproductionsession ends (step S240).

If the reproduction is possible, encrypted content data {Data}Kc of therequested song recorded in the memory of memory card 110 is output ontodata bus BS3, and is transmitted to cellular phone 100 via memoryinterface 1200 (step S232).

In cellular phone 100, decryption processing portion 1516 decryptsencrypted content data {Data}Kc, which is output from memory card 110and is transmitted onto data bus BS2, with license key Kc so thatcontent data Data in plain text can be obtained (step S234). Fromdecrypted content data Data in plain text, music reproducing portion1518 reproduces music, and the reproduced music is externally output viaswitching portion 1525 and terminal 1530 so that the processing ends(step S240).

The above structures can reduce the time required for the decryptionprocessing, which is performed for reading license key Kc andreproducing circuit restriction information AC2 required forreproduction from memory card 110 in the reproduction session.Therefore, the structures can quickly start reproduction of the music inresponse to the reproduction request of the user.

In the reproduction session, cellular phone 100 and memory card 110exchange the encryption keys produced thereby, and each execute theencryption with the received encryption key to send the encrypted datato the other. As a result, the mutual authentication can be performed ineach of operations of sending and receiving data in the reproductionsession, similarly to the distribution session, and the security levelin the data distribution system can be improved.

[Transferring Operation]

Description will now be given on the processing for transferring thecontent data between the two memory cards.

FIGS. 10, 11 and 12 are first and second flowcharts representing thetransference of the content data, keys and others between two memorycards 110 and 112 via cellular phones 100 and 102.

In FIGS. 10–12, the natural numbers n, which represent the kinds ofcellular phone 100 and memory card 102, respectively, are both equal toone (n=1). Also, the natural numbers n, which represent the kinds ofcellular phone 102 and memory card 112, respectively, are both equal totwo (n=2). Natural numbers i used for identifying memory cards 110 and112 are equal to one and two (i=1 and i=2), respectively.

In FIGS. 10–12, cellular phone 100 and memory card 110 are on thesending side, and cellular phone 102 and memory card 112 are on thereceiving side. Memory card 112 has substantially the same structure asmemory card 110, and is attached to cellular phone 102. In the followingdescription, respective components and portions of memory card 112 bearthe same reference numbers as those of memory card 110.

Referring to FIG. 10, user 1 on the sending side applies a contenttransfer request via cellular phone 100 of user 1, e.g., by operatingkeys or buttons on touch key unit 1108 (step S300).

The transfer request thus produced is transmitted to memory card 112 ofuser 2 on the receiving side via cellular phone 120. In memory card 112,authentication data holding portion 1500 outputs authentication data{KPmc(2)}KPma including public encryption key KPmc(2) corresponding tomemory card 112 (step S302).

Authentication data {KPmc(2)}KPma of memory card 112 is sent fromcellular phone 102 of user 2 to cellular phone 100 of user 1, and isreceived by memory card 110 (step S304).

In memory card 110, If public encryption key KPmc(2) encrypted withauthentication key KPma is regularly registered and is regularlyencrypted, i.e., when the data can be decrypted with authentication keyKPma, and the belonging data produced by the decryption can beauthenticated, decrypted public encryption key KPmc(2) is accepted asthe public encryption key of memory card 112. If the decryption isimpossible, or when the belonging data produced by the decryption cannotbe authenticated, the obtained data is not accepted (step S306).

When decryption processing portion 1408 accepts public encryption keyKPmc(2) unique to the contents of memory card 112, controller 1420determines that public encryption key KPmc(2) sent thereto is the publicencryption key assigned to the memory card authenticated in this datadistribution system, and the processing moves to a next step S312 (stepS308). If not accepted, controller 1420 determines that invalid accessis made by an unauthorized device, and ends the processing (step S360).

When the authentication result is valid, controller 1420 instructssession key generating portion 1418 to output session key Ks3 generatedon the sending side in the transfer session. Session key Ks3 produced bysession key generating portion 1418 is transmitted to encryptionprocessing portion 1410. Encryption processing portion 1410 furtherreceives public encryption key KPmc(2) of memory card 112, which isdecrypted by decryption processing portion 1408 in step S306, andencrypts session key Ks3 with public encryption key KPmc(2). Thereby,encrypted session key {Ks3}Kmc(2) is output onto data bus BS3 (stepS314).

Encrypted session key {Ks3}Kmc(2) is transmitted to memory card 112 viamemory interface 1200, cellular phone 100 and cellular phone 102.

Memory card 112 receives encrypted key {Ks3}Kmc(2) sent from memory card110, and decrypts it by decryption processing portion 1404 with privatedecryption key Kmc(2) corresponding to memory card 112 to accept sessionkey Ks3 produced by memory card 110 on the sending side (step S316).

In response to acceptance of session key Ks3, controller 1420 of memorycard 112 instructs session key generating portion 1418 to producesession key Ks2, which is to be generated on the receiving side in thetransfer session. Session key Ks2 produced thereby is transmitted toencryption processing portion 1406 via a contact Pf in select switch1446 and a contact Pc in select switch 1444.

Decryption processing portion 1406 receives session key Ks3 obtained bydecryption processing portion 1404 in step S316, and encrypts sessionkey Ks2 and public encryption key KPm(2), which are obtained via contactPc in select switch 1444 by appropriately selecting contacts Pf and Pein select switch 1446, with session key Ks1, and outputs{Ks2//KPm(2)}Ks3 onto data bus BS3 (step S318).

Encrypted data {Ks2//KPm(2)}Ks3 output onto data bus BS3 is transmittedonto data bus BS3 of memory card 110 via cellular phones 102 and 100.

In memory card 110, decryption processing portion 1412 decrypts theencrypted data transmitted onto data bus BS3 with session key Ks3, andaccepts session key Ks2 and public encryption key KPm(2) related tomemory card 112 (step S320).

In accordance with the acceptance of session key Ks2 and publicencryption key KPm(2), controller 1420 in memory card 110 determines theaccess restriction information AC1 in license information holdingportion 1440 (step S322). When it is determined from access restrictioninformation AC1 that transfer of license is impossible, the transfer isstopped at this stage (step S360).

When it is determined from access restriction information AC1 that thetransfer session is allowed, the processing moves to next step S322, andcontroller 1420 obtains the corresponding content ID and license ID fromlicense information holding portion 1440, updates the access restrictioninformation in license information holding portion 1440, and records theinhibition of subsequent reproduction and transfer (step S324). Inresponse to this, access restriction information AC1 is determined ineach of the reproduction session and the transfer session, andprocessing is performed to inhibit the subsequent reproduction sessionand the subsequent transfer session.

Controller 1420 instructs the output of reproduction informationcorresponding to the content to be transferred. Decryption processingportion 1454 decrypts encrypted data {{Ks2//AC2}Kcom//licenseID//content ID//AC1}K(1) output from memory 1415 so that {Kc//Ac2}Kcomis obtained on data bus BS4 (step S326).

The license ID, content ID and access restriction information AC1, whichare obtained from license information holding portion 1440 in step S324,and {Kc//Ac2}Kcom obtained in step S326 are taken into encryptionprocessing portion 1424 via data bus BS4, and is encrypted. Encryptionprocessing portion 1424 encrypts these received data with publicencryption key KPm(2), which is obtained by decryption processingportion 1412 in step S320, and is unique to memory card 112, to produce{{Ks2//AC2}Kcom//license ID//content ID//AC1}Km(2) (step S328).

Encrypted data {{Ks2//AC2}Kcom//license ID//content ID//AC1}Km(2), whichis output onto data bus BS4, is transmitted to encryption processingportion 1406 via contact Pd of select switch 1444. Encryption processingportion 1406 receives session key Ks2, which was prepared by memory card112 and is obtained by decryption processing portion 1412, via contactPb of select switch 1442, and encrypts the data received from contact Pdwith session key Ks2.

Encryption processing portion 1406 outputs data{{{Ks2//AC2}Kcom//license ID//content ID//AC1}Km(2)}Ks2 onto data busBS3 (step S330). In step S330, the encrypted data output onto data busBS3 is transmitted to memory card 112, which is a receiver in thetransfer session, via cellular phones 100 and 102.

In memory card 112, decryption processing portion 1412 performs thedecryption with session key Ks2 produced by session key generatingportion 1418, and accepts {{Ks2//AC2}Kcom//license ID//contentID//AC1}Km(2) (step S332).

Data {{Ks2//AC2}Kcom//license ID//content ID//AC1}Km(2) encrypted withpublic encryption key KPm(2) is decrypted by decryption processingportion 1422 with private decryption key Km(2) unique to memory card 112so that {Ks2//AC2}Kcom, license ID, content ID and access restrictioninformation AC1 are accepted (step S334).

Then, data {Ks2//AC2}Kcom, license ID, content ID and access restrictioninformation AC1 thus accepted are encrypted again by encryptionprocessing portion 1452 with secret symmetric key K(2), which is held inK(2) holding portion 1450 and is unique to the memory card, andencrypted data {{Ks2//AC2}Kcom//license ID//content ID//AC1}K(2) isrecorded in memory 1415 outside the TRM region (step S336).

Further, the license ID, content ID and access restriction informationAC1 accepted by decryption processing portion 1422 are recorded in thedesignated bank of license information holding portion 1440 (step S338).

When the processing in and before steps 338 are normally completed inthe foregoing manner, a request for duplication of the content data isfurther issued via cellular phone 102 in response to the transfer of thereproduction information including license key Kc (step S340).

The request for duplication of the content data is transmitted to memorycard 110 via cellular phone 100. In response to this, correspondingencrypted content data {Data}Kc and additional information Data-inf areoutput from memory 1415 in memory card 110 onto data bus BS3 (stepS342). These data output onto data bus BS3 are transmitted to memorycard 112 via memory interface 1200, cellular phone 100 and cellularphone 102, and are recorded in memory 1415 in memory card 112 (stepS344).

When recording of encrypted content data {Data}Kc and additionalinformation Data-inf is completed, transfer acceptance is sent viacellular phone 102 (step S346).

When memory card 112 and corresponding cellular phone 102 normallyexecute the reproduction session in response to the above transferacceptance, the user can listen to music via cellular phone 102 based onencrypted content data {Data}Kc and license key Kc recorded in memorycard 112.

Cellular phone 100 on the sending side receives the transfer acceptancesent from cellular phone 102 (step S348), and receives an instructionfrom the user via touch key unit 1108 to either erase or hold thecontent data (step S350).

When erasing of the content data is instructed via touch key unit 1108,corresponding encrypted content data {Data}Kc and additional informationData-inf are erased in memory 1415 within memory card 110 (step S354).When holding of the content data is instructed, step S354 is skipped,and the transfer processing ends in this stage (step S356). In thetransfer processing ending step S356, which is performed when thetransfer session was normally performed, or when the transfer session isstopped as a result of authentication, checking of access restrictioninformation AC1 or the like, processing in all the transfer session areskipped after step S308 or S322 (step S360).

The reproduction information such as corresponding content ID recordedin license information holding portion 1440 is in the same state as theerasing because access restriction information AC1 was updated in stepS324 to inhibit the reproduction session and the transfer session. Whenthe bank storing the reproduction information in this state receives newreproduction information distributed or transferred thereto for newcontent data, overwriting is allowed. Therefore, similar effects can beachieved by erasing all the data in this bank.

In the state where the encrypted content data is already recorded inmemory 1415, the encrypted content data can be reproduced for listeningto the music only by accessing distribution server 30 and receiving thedistributed reproduction information. The processing of distributingonly the reproduction information is not represented in the flowcharts.However, this processing is substantially the same as the processing inthe distribution session shown in FIGS. 7 and 8 except for that thesteps S152, S154, S156 and S158 relating to the sending and receiving ofthe encrypted content data are not performed, and therefore descriptionthereof is not repeated.

Owing to the above structures, the transfer session is likewiseperformed such that the encrypted data is transferred only after thecontent reproducing circuit (cellular phone) and memory card on thereceiving side are authenticated. Therefore, the security level of thesystem is further increased.

[Second Embodiment]

FIG. 13 is a block diagram showing a structure of a memory card 114 of asecond embodiment, and corresponds to FIG. 5 showing the firstembodiment.

Referring to FIG. 13, memory card 114 differs from memory card 110 ofthe first embodiment shown in FIG. 5 in that a K(1)x holding portion1451 employed in place of K(1) holding portion 1450 holds predeterminedsymmetric secret keys K(1)x (1≦x≦N), which are N in number and areunique to the memory, for allowing correspondence to each bank inlicense information holding portion 1440. Therefore, encryptionprocessing portion 1452 and decryption processing portion 1454 areconfigured to perform the encryption or decryption with secret symmetrickeys K(1)x, which is different from those for other content data (i.e.,reproduction information) to be processed, under the control ofcontroller 1420.

Structures other than the above are substantially the same as those ofmemory card 110 of the first embodiment. The same portions bear the samereference numbers, and description thereof is not repeated.

FIG. 14 conceptually shows allocation of the storage regions in licenseinformation holding portion 1440 and K(1)x holding portion 1451 shown inFIG. 13.

Similarly to the first embodiment, license information holding portion1440 can transmit to and from data bus BS4 the license ID data, contentID data and access restriction information AC1. License informationholding portion 1440 has N (N: natural number) banks, each of which canstore a portion of the reproduction information. Likewise, K(1)x holdingportion 1415 has N banks, which correspond to the banks of licenseinformation holding portion 1440, and have already stored secretsymmetric keys K(1)x (1≦x≦N), respectively. In accordance with this,K(1)x holding portion 1451 has N (N: natural number) banks, and holdspredetermined secret symmetric keys K(1)x (1≦x≦N) corresponding to therespective licenses in the corresponding banks, respectively.

FIGS. 15 and 16 are first and second flowcharts representing thedistributing operation, which is performed when purchasing the contentin the data distribution system according to the second embodiment, andcorrespond to FIGS. 7 and 8 representing the first embodiment,respectively.

FIGS. 15 and 16 show operations, in which user 1 uses memory card 114and receives the content data from distribution server 30 via cellularphone 100.

In contrast to the distribution processing using memory card 110 of thefirst embodiment, memory card 114 operates as follows. In step S148′shown in FIG. 16, data {Ks2//AC2}Kcom, license ID, content ID and accessrestriction information AC1 accepted in step S146 are encrypted byencryption processing portion 1452 with secret symmetric key K(1)x,which is unique to memory card 110 and corresponds to the bank oflicense information holding portion 1440. Thus, the reproductioninformation, which has the corresponding license ID and is recorded,e.g., in bank j (1≦j≦N) of license information holding portion 1440, isencrypted with K(1)j and is recorded as encrypted reproductioninformation {{Ks2//AC2}Kcom//license ID//content ID//AC1}K(1)j in memory1415 outside the TRM region.

Processing other than the above is substantially the same as that in thedistributing operation of the first embodiment. The same steps andoperations bear the same reference numbers, and description thereof isnot repeated.

FIG. 17 is a flowchart representing operations of various portions inthe reproduction session using the memory card of the second embodiment.

The processing in FIG. 17 differs from the distribution processing usingmemory card 110 of the first embodiment in the following points. In stepS202′ shown in FIG. 17, controller 1106 of cellular phone 100 sends aninstrument relating to bank j in the position, where the license isrecorded, to memory card 114. In step S222, encrypted data{{Ks2//AC2}Kcom//license ID//content ID//AC1}K(1)j read from memory 1415onto data bus BS4 is decrypted by decryption processing portion 1454with the secret symmetric key held in K(1)x holding portion 1451 andparticularly with secret symmetric key K(1)j held in bank j under thecontrol of controller 1420.

Processing other than the above are substantially the same as that inthe reproducing operation of the first embodiment. The same steps andoperations bear the same reference numbers, and description thereof isnot repeated. The transfer operation of the memory card of the secondembodiment is basically the same as that of the first embodiment.

Owing to the above structure, the security level for the content datacan be further increased.

[Third Embodiment]

FIG. 18 is a block diagram showing a structure of memory card 116 of thethird embodiment, and corresponds to FIG. 13 showing the secondembodiment.

Referring to FIG. 18, memory card 116 differs from memory card 114 ofthe second embodiment shown in FIG. 13 in that a random numbergenerating circuit 1460 employed in place of session key generatingcircuit 1418 produces session keys Ks2 and Ks3, and further producessecret symmetric key K(1)x (1≦x≦N) in response to each processing ofwriting the reproduction information. K(1)x holding portion 1451includes banks N, which correspond to the N banks in license informationholding portion 1440, respectively, and is configured to record secretsymmetric key K(1)j generated by random number generating circuit 1460in bank j of K(1)x holding portion 1451 when recording the licenseinformation, which is a part of the reproduction information, in bank j(1≦j≦N) of license information holding portion 1440. Recorded secretsymmetric key K(1)j is used by encryption processing portion 1452 forencrypting the reproduction information for the license informationrecorded in bank j of the license information holding portion. In thethird embodiment, therefore, encryption processing portion 1452 anddecryption processing portion 1454 are configured to perform theencryption or decryption with secret symmetric key K(1)x, which isdifferent from those for the other encrypted content data and thus otherreproduction information, under the control of controller 1420.

Structures other than the above are substantially the same as those ofmemory card 114 of the second embodiment. The same portions bear thesame reference numbers, and description thereof is not repeated.

FIG. 19 conceptually shows allocation of storage regions in licenseinformation holding portion 1440 and K(1)x holding portion 1451 shown inFIG. 18.

License information holding portion 1440 has N (N: natural number)banks, and holds the license information (content ID, license ID andaccess restriction information AC1), which is a part of reproductioninformation, in each bank. K(1)x holding portion 1451 likewise has N (N:natural number) banks, and each bank j stores corresponding secretsymmetric key K(1)j, which is generated by random number generatingcircuit 1460 in response to every recording of the license informationin bank j of license information holding portion 1440 during thedistribution session or transfer session (receiving side).

FIGS. 20 and 21 are first and second flowcharts representing thedistributing operation performed when purchasing the contents in thedata distribution system according to the third embodiment, andcorrespond to FIGS. 15 and 16 showing the second embodiment,respectively.

FIGS. 20 and 21 represent the operations, in which the user uses amemory card 116, and receives the content data distributed fromdistribution server 30 via cellular phone 100.

In contrast to the distribution processing using memory card 114 of thesecond embodiment, memory card 116 operates as follows. If the licenseinformation is to be written into the jth bank, random number generatingportion 1460 produces a random number, and stores it as secret symmetrickey K(1)j in bank j of K(1)x holding portion 1451.

Processing other than the above is substantially the same as that in thedistributing operation of the first embodiment. The same operations andsteps bear the same reference numbers, and description thereof is notrepeated.

The reproduction operation and transfer operation of memory card 116 ofthe third embodiment are basically the same as those of the secondembodiment.

Owing to the above structure, the security level for the content datacan be further increased.

The processing in each of the first, second and third embodiments isdifferent from the processing in the other embodiments only in theprocessing within the memory card, and there is no difference inencryption of data performed outside the memory card. In connection withthe combination of the sending and receiving sides, however, thetransfer operations can be performed using any combination of memorycards 110, 114 and 116, which have been described in the respectiveembodiments.

Accordingly, memory cards 110, 114 and 116 are compatible with eachother.

[Fourth Embodiment]

A data distribution system of a fourth embodiment differs from the datadistribution system of the first embodiment in that the distributionserver and the cellular phone do not utilize the encryption anddecryption with secret common key Kcom common to all the reproducingcircuit.

More specifically, the data distribution system of the fourth embodimentemploys a license server 11 instead of license server 10, which isemployed in distribution server 30 of the data distribution system ofthe first embodiment shown in FIG. 3. The data distribution system ofthe fourth embodiment employs a cellular phone 103 having a structureother than that of cellular phone 100 already described in FIG. 4.

FIG. 22 represents characteristics of the data, information and othersused for the communication in the data distribution system of the fourthembodiment, and correspond to FIG. 2 showing the first embodiment.However, characteristics in FIG. 22 are the same as those in FIG. 2except for secret common key Kcom is not represented, and therefore,description thereof is not repeated.

FIG. 23 is a schematic block diagram showing a structure of licenseserver 11 of the data distribution system according to the fourthembodiment.

License server 11 differs from license server 10 in that license server11 does not employ holding portion 322 of secret common key Kcom commonto all the reproducing circuit as well as encryption processing portion324 for performing the encryption using secret common key Kcom as theencryption key. In a distribution server 31, therefore, license key Kcand reproducing circuit restriction information AC2, which are outputfrom distribution control portion 315, are directly sent to encryptionprocessing portion 326. Circuit structures and operations other than theabove are substantially the same as those of license server 10 shown inFIG. 3, and therefore description thereof is not repeated.

In the following description, license server 11, authentication server12 and distribution carrier 20 are collectively referred toas“distribution server 31” hereinafter.

FIG. 24 is a schematic block diagram showing a structure of cellularphone 103 used in the data distribution system of the fourth embodiment.

Referring to FIG. 24, cellular phone 103 differs from cellular phone 100of the first embodiment shown in FIG. 4 in that Kcom holding portion1512 for holding secret common key Kcom symmetric to the reproducingcircuit and decryption processing portion 1514 using secret common keyKcom are not employed.

Corresponding to the fact that distribution server 31 does not performthe encryption with secret common key Kcom, license key Kc in cellularphone 103 can be directly obtained by decryption processing portion 1510performing the decryption with session key Ks4, and therefore cellularphone 101 is configured to apply license key Kc directly to decryptionprocessing portion 1510. Circuit structures and operations other thanthe above are substantially the same as those of cellular phone 100.Description of the same structures and operations is not repeated.

The memory card used in the data distribution system of the fourthembodiment has the same structure as that of memory card 110 shown inFIG. 5, and therefore description thereof is not repeated.

By eliminating the encryption with secret common key Kcom common to allthe reproducing circuit, differences occur in operation duringdistribution and reproduction sessions. These differences will now bedescribed with reference to flowcharts.

FIGS. 25 and 26 are first and second flowcharts showing a distributingoperation in the data distribution system according to the fourthembodiment, respectively. With reference to FIG. 25, description willnow be given on only differences from the distributing operation of thedata distribution system of the first embodiment, which is representedin the flowcharts of FIGS. 7 and 8.

Referring to FIGS. 25 and 26, the processing in and before step S132 isthe same as that represented in the flowchart of FIG. 7.

As already described with reference to FIG. 23, license key Kc andreproducing circuit restriction information AC2 obtained in step S132are encrypted with public encryption key KPm(1) unique to memory card110 without being encrypted with secret common key Kcom. Therefore, stepS134 is eliminated.

Subsequently to step S132, steps S136 a–S146 a are executed instead ofsteps S136–S146. In each of steps S136 a–148 a, license key Kc andreproducing circuit restriction information AC2 are handled in the formof Kc//AC2 instead of the form of {Kc/AC2}Kcom handled in stepsS136–S148. Other steps and operations in the encryption and decryptionprocessing are substantially the same as those already described withreference to FIG. 8, and therefore description thereof is not repeated.

FIG. 27 is a flowchart representing the reproducing operation in thedata distribution system according to the fourth embodiment.

Referring to FIG. 27, the reproducing operation in the data distributionsystem of the fourth embodiment differs from the distributing operationin the data distribution system of the first embodiment shown in FIG. 9in that steps S222 a–S226 a are executed instead of steps S222–S226. Ineach of steps S222 a–S226 a, license key Kc and reproducing circuitrestriction information AC2 are handled in the form of Kc//AC2 insteadof the form of {Kc/AC2}Kcom handled in steps S222–S226. Other steps andoperations in the encryption and decryption processing are substantiallythe same as those already described with reference to FIG. 10, andtherefore description thereof is not repeated. Further, license key Kcand reproducing circuit restriction information AC2 are encrypted withsecret symmetric key K(1) unique to memory card 110 without beingencrypted with secret common key Kcom. Therefore, step S228 iseliminated. Steps other than the above are substantially the same asthose in FIG. 9, and therefore description thereof is not repeated.

The transfer operation is substantially the same as that of the firstembodiment in that license key Kc and reproducing circuit restrictioninformation AC2 are not encrypted with secret common key Kcom.

Owing to the above structure, the data distribution system providing theeffects similar to those of the data distribution system of the firstembodiment can be achieved by the structure, which does not use secretcommon key Kcom common to all the reproducing circuit and correspondingsecret common key Kcom.

The data distribution systems of the second and third embodiments mayemploy the distribution server and the cellular phone, which do notutilize the encryption and decryption based on secret common key Kcomcommon to all the reproducing circuit.

In all the embodiments already described, the reproduction informationdistributed from the distribution server is received in such a mannerthat authentication data {KPm(1)}KPma and {KPp(1)}KPma of the memorycard and the cellular phone (content reproducing circuit) are sent tothe distribution server (step S104), the distribution server receivesthem (step S106), and decrypts it with authentication key KPma (stepS108), and then authentication processing for both the memory card andthe cellular phone (content reproducing circuit) are performed inaccordance with results of the decryption. However, (i) it is notessential that the content reproducing circuit for reproducing the musicis the same as the cellular phone receiving the distributed data becausethe memory card is removably. Further, (ii) when a part of reproductioninformation (i.e., license key Kc and reproducing circuit restrictioninformation AC2) is to be sent from the memory card for performing thereproduction, the memory card internally performs the authenticationprocessing on authentication data {KPm(1)}KPma of the contentreproducing circuit on the receiving side, and the security level doesnot lower even if the authentication processing of authentication data{KPm(1)}KPma of the content reproducing circuit is not performed in thedistribution server. For these reasons, such a structure may be employedthat the authentication processing of authentication data {KPm(1)}KPmaof the content reproducing circuit is not performed in the distributionserver.

In this case, the cellular phone sends the content ID, authenticationdata {KPm(1)}KPma of the memory card and license purchase condition dataAC in step S104, and the distribution server sends the content ID,authentication data {KPm(1)}KPma of the memory card and license purchasecondition data AC in step S106, and decrypts authentication data{KPm(1)}KPma with authentication key KPma to accept public encryptionkey KPm(1). Subsequently, the authentication processing is performedbased on results of the decryption, or results of inquiry to theauthentication server, and it is determined whether public encryptionkey KPm(1) was issued from a valid device or not. Subsequent processingis performed in accordance with the results of this determination aswell as the results of determination relating to authentication data{KPm(1)}KPma of the memory card. Only the changes described above arerequired, and no change is required in the reproduction and transfer.

Although the present invention has been described and illustrated indetail, it is clearly understood that the same is by way of illustrationand example only and is not to be taken by way of limitation, the spiritand scope of the present invention being limited only by the terms ofthe appended claims.

1. A recording device (110) for receiving and recording data encryptedwith a first public encryption key (KPm(i)) predetermined with respectto the recording device, and used for decrypting encrypted content data,comprising: a first key holding portion (1421) for holding a firstprivate decryption key (Km(i)) being asymmetric to said first publicencryption key and used for decrypting data encrypted with said firstpublic encryption key; a first decryption processing portion (1422) forreceiving a license key encrypted with said first public encryption key,and decrypting the received data with said first private decryption key;a second key holding portion (1450, 1451) for holding at least onesecret unique key (K(i)) being unique to said recording device and beingsymmetric in a symmetric key cryptosystem; a first encryption processingportion (1452) for receiving and encrypting said license key again withsaid secret unique key; a recording portion for receiving and storingthe output of said first encryption processing portion; and a seconddecryption processing portion (1454) for decrypting said license keystored in said recording portion with said secret unique key.
 2. Therecording device according to claim 1, further comprising: a third keyholding portion (1402) for holding a second private decryption key(Kmc(n)) used for decrypting data encrypted with a second publicencryption key (KPmc(n)) predetermined with respect to said recordingdevice; a third decryption processing portion (1404) for receiving afirst symmetric key (Ks1) updated in response to every input/output ofsaid license key and encrypted with said second public encryption key,and performing decryption with said second private decryption key; afourth key holding portion (1416) for holding said first publicencryption key; a session key generating portion (1418) for generating asecond symmetric key (Ks2) in response to every input/output of saidlicense key; a second encryption processing portion (1406) for receivingand encrypting said first public encryption key and the output of saidsession key generating portion with said first symmetric key; and afourth decryption processing portion (1412) for decrypting with saidsecond symmetric key the data encrypted with said first publicencryption key and further encrypted with said second symmetric key, andapplying the decrypted data to said first decryption processing portion.3. The recording device according to claim 1, wherein said first privatedecryption key is a private decryption key being unique to saidrecording device and being predetermined for said recording device. 4.The recording device according to claim 1, wherein said second keyholding portion holds a predetermined plural number of said secretunique keys capable of corresponding to said respective license keystored in said recording portion.
 5. The recording device according toclaim 1, further comprising: a random number generating portion (1460)for producing said secret unique key from a random number, wherein saidsecond key holding portion (1451) holds a plurality of said secretunique keys produced corresponding to respective inputs of said licensekey in forms corresponding to said encrypted data.
 6. The recordingdevice according to claim 2, wherein said session key generating portionfurther produces said secret unique key corresponding to every input ofthe data, and said second key holding portion holds said plurality ofproduced secret unique keys in forms corresponding to said license key.7. The recording device according to claim 2, further comprising: anauthentication data holding portion (1400) holding authentication dataprepared by encrypting said predetermined second public encryption keycorresponding to said recording device into a form allowingauthentication with an authentication key (Kpma), and being capable ofexternally outputting said authentication data.
 8. The recording deviceaccording to claim 2, further comprising: an authentication data holdingportion holding authentication data prepared by encrypting saidpredetermined second public encryption key corresponding to saidrecording device and data for authenticating said recording device intoa form allowing authentication with an authentication key, and beingcapable of externally outputting said authentication data.
 9. Therecording device according to claim 2, wherein said recording deviceaccepts authentication data prepared by encrypting an externally appliedthird public encryption key into a form decodable with an authenticationkey in response to every output of said license key; and said recordingdevice further comprises: an authentication key holding portion forholding said authentication key, an authentication processing portion(1420) for decrypting with said authentication key said authenticationdata prepared by encrypting said externally applied third publicencryption key into a form decodable with said authentication key, anddetermining based on belonging data produced by the decryptionprocessing whether said third public encryption key is to be accepted ornot, and a third encryption processing portion (1410) for encrypting thesecond symmetric key generated by said session key generating portionwith said third public encryption key, and externally outputting theencrypted second symmetric key when said authentication processingportion accepts said third public encryption key.
 10. The recordingdevice according to claim 9, further comprising: a third encryptionprocessing portion (1424) for encrypting an externally applied fourthpublic encryption key (KPm(j)) encrypted together with said firstsymmetric key with said second symmetric key, wherein said fourthdecryption processing portion decrypts said first symmetric key and saidfourth public encryption key encrypted with said second symmetric key,said second decryption processing portion decrypts said license keystored in said recording portion; said fourth encryption processingportion encrypts the output of said second decryption processing portionwith said fourth public encryption key, and said second encryptionprocessing portion further encrypts the output of said fourth encryptionprocessing portion with said first symmetric key, and outputting theencrypted output.
 11. The recording device according to claim 1, whereinsaid recording device receives and further records encrypted contentdata corresponding to said license key, said recording portion includes:a first recording portion for storing said license key encrypted by saidfirst encryption processing portion, and a second recording portion forstoring said encrypted content data applied to said second recordingportion as it is.
 12. The recording device according to claim 11,wherein said recording portion has a control information recordingportion (1440) for receiving control information applied together withsaid license key after being encrypted with said first public encryptionkey, and relating to output of said license key, and for recording saidcontrol information decrypted by said first decryption processingportion; and said recording device further comprises a control portionfor controlling output of said license key in response to an externalrequest for output of said license key and in accordance with saidcontrol information recorded in said control information recordingportion.
 13. The recording device according to claim 1, wherein saidrecording portion is a memory card.
 14. The recording device accordingto claim 9, wherein said fourth decryption processing portion decryptssaid first symmetric key decrypted with said second symmetric key, saidsecond decryption processing portion decrypts data stored in saidrecording portion, and said second encryption processing portionencrypts the output of said second decryption processing portion withsaid first symmetric key, and outputting the encrypted output.